Just had a look at the code and noticed that itâ€™s only testing for the Microsoft.XMLHTTP progid… I know that that particular namespace/progid is bound to v1 – v3 of MSXML. What I don’t know/understand is why most/all of the Ajax frameworks test for this progid and sometimes others e.g.

(YUI) _msxml_progid:[‘MSXML2.XMLHTTP.3.0’, ‘MSXML2.XMLHTTP’, ‘Microsoft.XMLHTTP’] – (if yui is only supporting IE6+) all these progids will point to the same version, so the test is a waste of time…?

I know that IE6 comes with MSXML3 and Microsoft recommend only using MSXML3 (or MSXML6 – which comes with Vista) progids.

Surely if they’re supporting IE6+ then the correct progid is MSXML2.XMLHTTP.3.0 to quote the Microsoft blog…

Try MSXML6 and fallback to MSXML3 â€“ MSXML6 has some improvements that arenâ€™t in MSXML3 such as support for XSD schema, and improved stability, performance, and security. So your app may try out MSXML6 if it is on the box and then â€œfallbackâ€ gracefully. Just remember to test your app with MSXML6 and with MSXML3 so you arenâ€™t surprised when you release your application.

Is there something I’m missing? Are there known bugs with the specific versions of MSXML that these frameworks work-around? What happens if M$ drop support for the “Microsoft” namespace?

Cheers,
Confused.

Comment by DaveC — October 18, 2007

Dave,
I think your concerns are very valid. Still I found only one looking serious: “What happens if M$ drop support for the â€œMicrosoftâ€ namespace?” Well, as you saw in the source, this will not be a problem, since in the environments where M$ might consider dropping this support there is already XMLHttpRequest object available – and my implementation will wrap around that one, not trying to locate an existing ActiveX!

Interesting, if nothing else nice just to get cross-browser stats.
Bra jobbat :)

Comment by Fredrik — October 18, 2007

There is a specific issue with microsoft’s early implementation of MSXML (an ActiveX) – some organizations have such strict security so they totally disable ActiveX in IE, but still IE is the default and only browser. There is a workaround in IE 5-6 by using XML data islands, which in turn internally use the same ActiveX object, but somehow that is not affected by the security settings of whether to use or not to use AX.
What is most intriguing is that in NONE of the major frameworks I have not seen an implementation that uses as a fallback the XML data islands.
Haven’t the creators of those libs never met this issue, or they think that one way or the other “AJAX” will prevail and they are not concerned by what some government IT agency example enforces as a quite reasonable security policy?